BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.
References
Link | Resource |
---|---|
https://docs.bigbluebutton.org/dev/api.html | Product |
https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit Third Party Advisory |
https://docs.bigbluebutton.org/dev/api.html | Product |
https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 05:21
Type | Values Removed | Values Added |
---|---|---|
References | () https://docs.bigbluebutton.org/dev/api.html - Product | |
References | () https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html - Exploit, Third Party Advisory |
Information
Published : 2020-10-21 15:15
Updated : 2024-11-21 05:21
NVD link : CVE-2020-27604
Mitre link : CVE-2020-27604
CVE.ORG link : CVE-2020-27604
JSON object : View
Products Affected
bigbluebutton
- bigbluebutton
CWE
CWE-116
Improper Encoding or Escaping of Output